Friday May 08, 2009

OpenSSO Fedlet Wins European Identity Award

Fedlet started out as "SAML2 lightweight SDK" 2 years ago with a small prototype with a UI to show levels of integration points. I recall Jamie demonstrating the prototype to customers in Canada and the surprisingly strong positive reactions it got. Congratulations to the Sun Federation team for productizing this into the neat concept it is today, to our friends in Canada (you know who you are) and to our energetic marketing team for coming up with the catchy "Fedlet" name.
I wonder if things would have been the same if we had kept the original "SAML2 lightweight SDK" name; likely not !! My lesson on how it takes a entire team to make anything successful.
Reall all about it here :

Thursday Jan 29, 2009

OpenSSO Community Day : "Unconference" - For Free

Great opportunity to meet OpenSSO developers and share your concerns and experiences.
Details here. And here. To join, please RSVP. The 40 available slots are filling fast!

Sunday Dec 07, 2008

.Net Fedlet (Prototype)

As I was revving up SecureAttrs C# api, stumbled upon .Net apis to perform XML signing and verification, and that lead to a usable Fedlet prototype for .Net environments.

To test drive it :
  • Download saml2.dll and sample fedlet.aspx.
  • Deploy them to your IIS server. ( I copied SAML2.dll to BIN and fedlet.aspx to c:\\Inetpub\\wwwroot )
  • Execute "Create Fedlet" Task on OpenSSO serving as IDP - point it to your IIS Server that will execute the Fedlet. E.g. : While you are on the console you may setup a attribute mapping to pass some user profile attributes such as cn, mail, employeeNumber etc from IDP to the Fedlet as part of SSO.
  • Export IDP public key and copy it to C:\\fedlet\\idp.cer
    cd <opensso_configdir>/<opensso_deploy_uri;>
    keytool -export -keystore keystore.jks -alias test -file idp.cer
  • Test : On a browser, invoke the fedlet : It will prompt you for IDP (OpenSSO) url. A URL representing IDP initiated SAML2 SSO is generated and shown as a link. Click on the link to initiate SSO. When prompted for autentication on the IDP end, try the demo user (password : changeit)

    Processing rules implemented :
  • IDP initiated SAML2 POST profile (Unsolicited AuthN Response)
  • verification of XML signature
  • verification of IDP entity id.
  • NotOnOrAfter rule
  • Single-use-assertion

    Work to be done :
  • Audience restriction and other SAML Conditions procesing rules
  • Option to verify signature via IDP public key stored locally
  • AuthNRequest for SP initiated SSO
  • Single Logout.
  • Support for multiple IDPs

    Code will be checked into the OpenSSO source repository shortly after it is reviewed, etc.
    fedlet.aspx demonstrates a simple C# SAML2 api, modelled after the Java Fedlet API. Feedback most welcome.
  • Tuesday Nov 11, 2008

    OpenSSO Enterprise 8 is here

    A superb team effort - Congratulations to all - Engineering, QA, Docs, Marketing, Sustaining, Release engineering, Training and the OpenSSO community.
    Download page.
    Release Notes.

    This release continues with the commitment to provide real value to customers without compromising ease of use and simplicity as represented by this feature list.

    Additional noteworthy aspects of this release :
  • Improved Documentation
  • Whetted end-to-end Deployment scenarios based on real customer deployments. Enterprise deployment, Federation Deployment
  • Free online training
  • Agents 3.0 - new features including centralized management.
  • Saturday Oct 04, 2008

    Ask the Experts - OpenSSO 2008 transcript

    We just concluded our OpenSSO - Ask the experts event. Many thanks to all those who posted their questions. Apart from technical questions we are glad we could clarify some queries people had on Enterprise vs Express and for that matter Access Manager. I do hope we were able to convey that although it appears to be all new, the source base continues to be on solid grounds whetted by large telcos, financial and enterprise customer more than 5 years now. The transcript is here.

    See you all on our mailing lists and IRC channel..... "where joining the community is free and contributing code is even better"....ok, maybe that was too much :-)

    Special thanks to Edward Ort for organizing and orchestrating the entire week so flawlessly.

    ....and last but definitely not the least the 40+ core engineers, often invisible, who helped with the answers and continue to work wee hours of the night and this weekend to ship the next rev of OpenSSO.

    Tuesday Sep 30, 2008

    OpenSSO Enterprise 8 launched on Second Life

    Congratulations to Daniel Raskin and Jamie Nelson for a such wonderful presentation.
    If you missed Identicat's frolics while eloquently describing the virtues of "Virtual Federation", no worries : its all recorded here.

    Thursday Sep 25, 2008

    "Ask The Experts" all next week (Mon Sep 29 - Oct 3 2008)

    Starting next week and all week I will be on the panel with my colleagues : Aravindan Ranganathan, Qingwen Cheng and Dilli Dorai to answer your questions on OpenSSO. Whatever level you are at with OpenSSO, new-bee, expert, customer, please feel free to ask anything ... source ... technology ... community ... products (including the older version : Sun Access Manager and upcoming OpenSSO Express and OpenSSO Enterprise releases) ...federation ... policy ... web services ... Fedlet ... anything.

    We are constantly looking for feedback on product improvement, so anything goes - please provide us with an opportunity to not only answer any queries you may have but also to discuss product improvements, features,what worked for you and above all what didnt.

    More details at this Ask The Experts link.

    Tuesday Sep 23, 2008 "Summer 08" has SAML 1.1 support

    Kudos to on SAML1.1 support with the Summer 08 release. This Release note covers it nicely:

    ...Unlike with delegated authentication, customers do not have to deploy Salesforce-specific software to use SAML. Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms....

    Wanted to try it out with OpenSSO for a while and finally got a window thanks to the successful OpenSSO code freeze on its way towards Open Express Build 6 / OpenSSO Enterprise 8 (Congrats team!).

    Except for the initial learning curve and my rustiness on SAML1.1, it worked quite nicely! Shouldnt take you any more than 15 minutes:

    Configuring OpenSSO End (Identity Provider) :
  • Obtain OpenSSO.war, deploy it and configure it. If you want a quicker install, but with some risk since it is new: you can try OpenSSO QuickSetup using Java web start. I chose as my hostname.
  • Login to the OpenSSO instance as amadmin.
  • Navigate to Federation -> SAML1.1 configuration
  • Register as a "Destination site". I named it SFDC. Make sure the "POST profile" is chosen. Your config should look something like this :

  • Export the source site public key. OpenSSO provides a keystore with a test certificate in it.
    cd <basedir>/<deployuri>
    keytool -export -keystore keystore.jks -alias test -file cert.cer

    Configuring end (Service Provider) :
  • Get a account here.
  • Login to SFDC portal and navigate to Setup (right at the top)->Security Controls->Single Signon Controls
  • Enter all the mandatory fields, and import the OpenSSO public key experted earlier. My setup looks as follows :

    Note that I chose "Federated ID" for my name identifier to directly map the authenticated user in OpenSSO to user. Alternatively I could have configured OpenSSO to send the userid either as a part of the Subject or a attribute statement.
    Save your settings - a "Recipient URL" will be shown on he screen. Select and copy this string - this will be needed in the last step.
  • Navigate to Security->Manage Users-> Users - select a user and enter "Edit" mode. Enter the following string in "Federated NameID" field : id=amadmin,ou=user,dc=opensso,dc=java,dc=net Again this is a shortcut - in a real deployment I would have created a new user in opensso and used that dn here.
    One last step- thanks to the choice I made with respect to the name identifier. Login back to the OpenSSO instance, and navigate to SFDC SAML1.1 config. Paste the "Recipient URL" in the "POST URL" field.
    Thats it - to test your setup : Enter the following URL in a browser : Login as amadmin into OpenSSO if prompted - you should be automatically single signed on to SFDC portal page.

    A leading On-Demand/SaaS provider supporting a open standards based mechanism for single signon is indeed a significant step in accelerating the adoption of these standards over costly and often kludgy proprietary mechanisms. Hoping for SAML2/Logout/AuthZ/Attributes - other protocols in the future.
  • Tuesday Sep 16, 2008


    Scoop : Mr. Winky's ( IdentiCat ) preparation site spotted !!

    Sept 30th : OpenSSO Enterprise 8 launch party on Sun Island.

    Saturday Sep 06, 2008

    OpenSSO Webstart Prototype : QuickSetup

    Here is a prototype for a Java Web Start based OpenSSO installation built with Embedded GlasshfishV3 early builds and Embedded OpenDS.

    The idea is that no separate installation of a app server and directory is necessary to start exercising OpenSSO features.

    Although initially targeted for people new to OpenSSO, clearly there are several interesting possibilities going forward for such a delivery mechanism in the future. Some initial thoughts are listed below :
  • Quick evaluation of OpenSSO samples, Fedlet, Virtual Federation Proxy
  • Developer tooling : test executions
  • Pre configured OpenSSO - for demos, training
  • Upgrading / Patching of OpenSSO bits

    Please feel free to add any other suggestions you may think of.

    Initial Steps
    Step 1 : Click here to invoke QuickSetup

    Choose Java Web Start option and click OK.

    Step 2: Accept the certificate : Make sure it looks something like :

    Note : The certificate will not be self signed in later releases.

    Step 3 : Wait about 25 seconds until the the following windows show up one after another:

    This is the QuickStart main user interface. Do not close this window!

    Step 4 : No action - just be patient and wait another 25 seconds for a browser window like the following shows up :

    Thats it - simply choose the appropriate configuration option - the configurator wizard will guide thru rest of the steps.

    Trying out Federation

    You must have already noticed that the steps above automatically start a OpenSSO instance : http://localhost:28080/opensso.
    For exercising Federation functionality (Eg : SAML2) you need at least two opensso instances in two different domains.

    Initial Preparation : Setup /etc/hosts (or equivalent) to add fully qualified hostnames to represent a Service Provider and Identity Provider respectively : eg : localhost,
    Install two instances using The QuickSetup Web Start UI.
    For example :
    Enter sp , click "Deploy" - wait 25 seconds for a configrator widow similar to the one in Step 4 above to show up. Change the URL to your SP installation. E.g. :
    Configure using this OpenSSO instance configurator wizard and the use Service Provider task flow to set this instance as a Service Provider.
    Back to Webstart window - enter "idp" and click "Deploy". Same steps above, except this time change url to : and configure this instance as a Identity Provider.

    Stopping OpenSSO

    CLick "Exit OpenSSO" button on Webstart window. This will shutdown all opensso instances.

    Re-starting OpenSSO

    Invoking QuickSetup again restarts the default opensso instances - it will all use the configuration setup earier. Ie you dont need to configure it again. To restart other OpenSSO instaces configured earlier, use the QuickSetuo UI to enter the deploy uri and click "Deploy". To unconfigure a given instance, stop OpenSSO, remove the configuration directory provided during setup and reinvoke webstart.

    Misc Notes/Known Issues

  • QuickSetup creates and uses $HOME/OpenSSOQuickSetup on your desktop - and for a single instance may use up as much as 256MB disk space.
  • QuickSetp needs Java SE 1.5+ installed.
  • Linux 64bit x86 does not support Java Web Start
  • There are some issues reported on come Windows Vista and MAC systyems in that QuickSetup fails to start. Debug dumps can be found under : $HOME/OpenSSOQuickSetup directory.
  • Limiting WebSetup permissions to report and sandbox within $HOME/OpenSSOQuickSetup is being worked on.
  • Currently the jars are signed with a self signed certificate. This issue will be resolved.
  • Saturday Aug 09, 2008

    OpenSSO Commercial release Early Access via OpenSSO Express build5

    This is a great opportunity for the community to provide feedback for consideration in the upcoming commercial release.

    Friday Jul 25, 2008

    OpenSSO Express

    The following press release says it all:

    Sun today announces comprehensive, enterprise-class support and indemnification for OpenSSO, the open source code-base from which Sun Access Manager is derived. And Sun is making its Sun Access Manager offering even more attractive to enterprises by extending support to also include OpenSSO Express, early access versions of the next Access Manager release that have been fully tested and certified by the OpenSSO community.

    I think this will particularly find its sweet spot with the early adopters and early majority kinds of security deployments. For more traditional enterprises this is an excellent opportunity to shake out the solution much earlier in the development and planning cycle, that would be impossible with any other competitive product.
    Looking forward to very interesting times ahead as we see this significant milestone gets adopted in the market !

    OpenSSO Express Feature Article
    OpenSSO Project
    OpenSSO Wiki
    Sun Access Manager Product Page



    « July 2016